Search in sources :

Example 1 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class AsymmetricBindingHandler method doSignBeforeEncrypt.

private void doSignBeforeEncrypt() {
    try {
        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
        if (initiatorWrapper == null) {
            initiatorWrapper = abinding.getInitiatorToken();
        }
        assertTokenWrapper(initiatorWrapper);
        boolean attached = false;
        if (initiatorWrapper != null) {
            AbstractToken initiatorToken = initiatorWrapper.getToken();
            if (initiatorToken instanceof IssuedToken) {
                SecurityToken secToken = getSecurityToken();
                if (secToken == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                } else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element el = secToken.getToken();
                    this.addEncryptedKeyElement(cloneElement(el));
                    attached = true;
                }
            } else if (initiatorToken instanceof SamlToken && isRequestor()) {
                SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
                if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element envelope = saaj.getSOAPPart().getEnvelope();
                    envelope = (Element) DOMUtils.getDomElement(envelope);
                    addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
                    storeAssertionAsSecurityToken(assertionWrapper);
                }
            } else if (initiatorToken instanceof SamlToken) {
                String tokenId = getSAMLToken();
                if (tokenId == null) {
                    unassertPolicy(initiatorToken, "Security token is not found or expired");
                    return;
                }
            }
            assertToken(initiatorToken);
        }
        // Add timestamp
        List<WSEncryptionPart> sigs = new ArrayList<>();
        if (timestampEl != null) {
            WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
            sigs.add(timestampPart);
        }
        addSupportingTokens(sigs);
        sigs.addAll(this.getSignedParts(null));
        if (isRequestor() && initiatorWrapper != null) {
            doSignature(initiatorWrapper, sigs, attached);
            doEndorse();
        } else if (!isRequestor()) {
            // confirm sig
            addSignatureConfirmation(sigs);
            AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
            if (recipientSignatureToken == null) {
                recipientSignatureToken = abinding.getRecipientToken();
            }
            if (recipientSignatureToken != null) {
                assertTokenWrapper(recipientSignatureToken);
                assertToken(recipientSignatureToken.getToken());
                doSignature(recipientSignatureToken, sigs, attached);
            }
        }
        List<WSEncryptionPart> enc = getEncryptedParts();
        // Check for signature protection
        if (abinding.isEncryptSignature()) {
            if (mainSigId != null) {
                WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
                sigPart.setElement(bottomUpElement);
                enc.add(sigPart);
            }
            if (sigConfList != null && !sigConfList.isEmpty()) {
                enc.addAll(sigConfList);
            }
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }
        // Do encryption
        AbstractTokenWrapper encToken;
        if (isRequestor()) {
            enc.addAll(encryptedTokensList);
            encToken = abinding.getRecipientEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getRecipientToken();
            }
        } else {
            encToken = abinding.getInitiatorEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getInitiatorToken();
            }
        }
        if (encToken != null) {
            if (encToken.getToken() != null && !enc.isEmpty()) {
                final WSSecBase encr;
                if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                    encr = doEncryptionDerived(encToken, enc);
                } else {
                    String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
                    KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
                    SecretKey symmetricKey = keyGen.generateKey();
                    encr = doEncryption(encToken, enc, false, symmetricKey);
                }
                encr.clean();
            }
            assertTokenWrapper(encToken);
            assertToken(encToken.getToken());
        }
    } catch (Exception e) {
        String reason = e.getMessage();
        LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
        LOG.log(Level.FINE, e.getMessage(), e);
        throw new Fault(e);
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSSecBase(org.apache.wss4j.dom.message.WSSecBase) SecretKey(javax.crypto.SecretKey) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper) KeyGenerator(javax.crypto.KeyGenerator)

Example 2 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class AbstractCommonBindingHandler method assertToken.

protected void assertToken(AbstractToken token) {
    if (token == null) {
        return;
    }
    assertPolicy(token.getName());
    String namespace = token.getName().getNamespaceURI();
    if (token.getDerivedKeys() != null) {
        assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
    }
    if (token instanceof X509Token) {
        X509Token x509Token = (X509Token) token;
        assertX509Token(x509Token);
    } else if (token instanceof HttpsToken) {
        HttpsToken httpsToken = (HttpsToken) token;
        if (httpsToken.getAuthenticationType() != null) {
            assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
        }
    } else if (token instanceof KeyValueToken) {
        KeyValueToken keyValueToken = (KeyValueToken) token;
        if (keyValueToken.isRsaKeyValue()) {
            assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
        }
    } else if (token instanceof UsernameToken) {
        UsernameToken usernameToken = (UsernameToken) token;
        assertUsernameToken(usernameToken);
    } else if (token instanceof SecureConversationToken) {
        SecureConversationToken scToken = (SecureConversationToken) token;
        assertSecureConversationToken(scToken);
    } else if (token instanceof SecurityContextToken) {
        SecurityContextToken scToken = (SecurityContextToken) token;
        assertSecurityContextToken(scToken);
    } else if (token instanceof SpnegoContextToken) {
        SpnegoContextToken scToken = (SpnegoContextToken) token;
        assertSpnegoContextToken(scToken);
    } else if (token instanceof IssuedToken) {
        IssuedToken issuedToken = (IssuedToken) token;
        assertIssuedToken(issuedToken);
    } else if (token instanceof KerberosToken) {
        KerberosToken kerberosToken = (KerberosToken) token;
        assertKerberosToken(kerberosToken);
    } else if (token instanceof SamlToken) {
        SamlToken samlToken = (SamlToken) token;
        assertSamlToken(samlToken);
    }
}
Also used : HttpsToken(org.apache.wss4j.policy.model.HttpsToken) X509Token(org.apache.wss4j.policy.model.X509Token) SamlToken(org.apache.wss4j.policy.model.SamlToken) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) QName(javax.xml.namespace.QName) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)

Example 3 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class SamlTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SamlToken samlToken = (SamlToken) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(samlToken, parameters.getAssertionInfoMap());
        if (!isTokenRequired(samlToken, parameters.getMessage())) {
            PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
            continue;
        }
        if (parameters.getSamlResults().isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
        String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
        boolean validateSAMLSubjectConf = true;
        if (valSAMLSubjectConf != null) {
            validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
        }
        // All of the received SAML Assertions must conform to the policy
        for (WSSecurityEngineResult result : parameters.getSamlResults()) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
                ai.setNotAsserted("Wrong SAML Version");
                continue;
            }
            if (validateSAMLSubjectConf) {
                TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
                Certificate[] tlsCerts = null;
                if (tlsInfo != null) {
                    tlsCerts = tlsInfo.getPeerCertificates();
                }
                if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
                    continue;
                }
                if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
                    continue;
                }
            }
        /*
                    if (!checkIssuerName(samlToken, assertionWrapper)) {
                        ai.setNotAsserted("Wrong IssuerName");
                    }
                 */
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) Certificate(java.security.cert.Certificate)

Example 4 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class SignedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken)

Example 5 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class EndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Aggregations

SamlToken (org.apache.wss4j.policy.model.SamlToken)26 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)18 X509Token (org.apache.wss4j.policy.model.X509Token)14 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)13 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)13 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)13 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)13 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)11 Element (org.w3c.dom.Element)11 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)10 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)9 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8 QName (javax.xml.namespace.QName)7 Fault (org.apache.cxf.interceptor.Fault)7 SOAPException (javax.xml.soap.SOAPException)6 TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)5 AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)5